From b8313c2487c6182181e8433e24a200e78dbb439d Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 28 Apr 2023 11:18:10 -0700 Subject: [PATCH 01/10] PIA: Modernize how struct initialization is done --- src/analyzer/protocol/pia/PIA.h | 31 ++++++++++++------------------- 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h index 5a9babe55f..08d68b6aef 100644 --- a/src/analyzer/protocol/pia/PIA.h +++ b/src/analyzer/protocol/pia/PIA.h @@ -60,29 +60,22 @@ protected: // sequence numbers for TCP) and chunks of a reassembled stream. struct DataBlock { - IP_Hdr* ip; - const u_char* data; - bool is_orig; - int len; - uint64_t seq; - DataBlock* next; + IP_Hdr* ip = nullptr; + const u_char* data = nullptr; + bool is_orig = false; + size_t len = 0; + size_t cap_len = 0; + uint64_t seq = 0; + DataBlock* next = nullptr; }; struct Buffer { - Buffer() - { - head = tail = nullptr; - size = 0; - chunks = 0; - state = INIT; - } - - DataBlock* head; - DataBlock* tail; - int64_t size; - int64_t chunks; - State state; + DataBlock* head = nullptr; + DataBlock* tail = nullptr; + int64_t size = 0; + int64_t chunks = 0; + State state = INIT; }; void AddToBuffer(Buffer* buffer, uint64_t seq, int len, const u_char* data, bool is_orig, From 47ff5a4f61208abaf8f0525bdbef6412512ea839 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 28 Apr 2023 11:19:35 -0700 Subject: [PATCH 02/10] UDP: don't validate checksum if caplen < len This may happen with truncated packets and will cause asan builds to bail out before the packet can be forwarded along. The TCP analyzer already has this check, but it's missing for UDP. --- src/packet_analysis/protocol/udp/UDP.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index 58f12960a3..046e5a2e32 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -109,7 +109,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai auto validate_checksum = ! run_state::current_pkt->l4_checksummed && ! zeek::detail::ignore_checksums && ! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && - remaining >= len; + remaining >= len && pkt->len <= pkt->cap_len; constexpr auto vxlan_len = 8; constexpr auto eth_len = 14; From 18a30a7a536ff1741e09b0a3ef4a1bf5729d0943 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 28 Apr 2023 15:03:36 -0700 Subject: [PATCH 03/10] IP: fix weird name to not be ipv6 specific --- src/packet_analysis/protocol/ip/IP.cc | 2 +- testing/btest/Baseline/core.reassembly/output | 10 +++++----- testing/btest/Baseline/core.truncation/output | 2 +- testing/external/commit-hash.zeek-testing-private | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc index 0fd7537197..b875a066da 100644 --- a/src/packet_analysis/protocol/ip/IP.cc +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -93,7 +93,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) if ( packet->len < total_len + hdr_size ) { - Weird("truncated_IPv6", packet); + Weird("truncated_IP_len", packet); return false; } diff --git a/testing/btest/Baseline/core.reassembly/output b/testing/btest/Baseline/core.reassembly/output index 8f50aa51f2..fde583b6a9 100644 --- a/testing/btest/Baseline/core.reassembly/output +++ b/testing/btest/Baseline/core.reassembly/output @@ -19,14 +19,14 @@ flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1 flow weird, excessively_small_fragment, 128.32.46.142, 10.0.0.1 flow weird, fragment_inconsistency, 128.32.46.142, 10.0.0.1 ---------------------- -net_weird, truncated_IPv6 -net_weird, truncated_IPv6 -net_weird, truncated_IPv6 -net_weird, truncated_IPv6 +net_weird, truncated_IP_len +net_weird, truncated_IP_len +net_weird, truncated_IP_len +net_weird, truncated_IP_len rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliidlhd, A rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], dgphrodofqhq, orgmmpelofil, A rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], lenhfdqhqfgs, dfpqssidkpdg, A rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfOOOOOOOOOOOOOOOOOOOOOOOOOOOO, nlkmlpjfjjnoomfnqmdqgrdsgpefslhjrdjghsshrmosrkosidknnieiggpmnggelfhlkflfqojpjrsmeqghklmjlkdskjollmensjiqosemknoehellhlsspjfjpddfgqkemghskqosrksmkpsdomfoghllfokilshsisgpjhjoosidirlnmespjhdogdidoemejrnjjrookfrmiqllllqhlqfgolfqssfjrhrjhgfkpdnigiilrmnespjspeqjfedjhrkisjdhoofqdfeqnmihrelmildkngirkqorjslhmglripdojfedjjngjnpikoliqhdipgpshenekqiphmrsqmemghklodqnqoeggfkdqngrfollhjmddjreeghdqflohgrhqhelqsmdghgihpifpnikrddpmdfejhrhgfdfdlepmmhlhrnrslepqgmkopmdfogpoljeepqoemisfeksdeddiplnkfjddjioqhojlnmlirehidipdhqlddssssgpgikieeldsmfrkidpldsngdkidkoshkrofnonrrehghlmgmqshkedgpkpgjjkoneigsfjdlgjsngepfkndqoefqmsssrgegspromqepdpdeglmmegjljlmljeeorhhfmrohjeregpfshqjsqkekrihjdpfdjflgspepqjrqfemsjffmjfkhejdkrokmgdrhojgmgjpldjeiphroeheipolfmshoglkfnllfnhlflhlpddjflekhiqilefjpfqepdrrdokkjiekmelkhdpjlqjdlnfjemqdrksirdnjlrhrdijgqjhdqlidpfdisgrmnlfnsdlishlpfkshhglpdiqhpgmhpjdrpednjljfsqknsiqpfeqhlphgqdphflglpmqfkkhdjeodkelinkfpmfedidhphldmqjqggrljlhriehqqemeimkjhoqnsrdgengmgjokpeiijgrseppeoiflngggomdfjkndpqedhgnkiqlodkpjfkqoifidjmrdhhmglledkomllhpehdfjfdspmklkjdnhkdgpgqephfdfdrfplmepoegsekmrnikknelnprdpslmfkhghhooknieksjjhdeelidikndedijqqhfmphdondndpehmfoqelqigdpgioeljhedhfoeqlinriemqjigerkphgepqmiiidqlhriqioimpglonlsgomeloipndiihqqfiekkeriokrsjlmsjqiehqsrqkhdjlddjrrllirqkidqiggdrjpjirssgqepnqmhigfsqlekiqdddllnsjmroiofkieqnghddpjnhdjkfloilheljofddrkherkrieeoijrlfghiikmhpfdhekdjloejlmpperkgrhomedpfqkrodjdmrqfpiodgphidfliislrr, A rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], iokgedlsdkjkiefgmeqkfjoh, ggdeolssksemrhedoledddml, A -net_weird, truncated_IPv6 +net_weird, truncated_IP_len rexmit_inconsistency, [orig_h=63.193.213.194, orig_p=2564/tcp, resp_h=128.3.97.175, resp_p=80/tcp], OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO HTTP/1.1\x0d\x0aHost: 127.0.0.1\x0d\x0aContent-Type: text/xml\x0d\x0aContent-length: 1\x0d\x0a\x0d\x0aO\x0d\x0a Date: Wed, 24 May 2023 16:31:08 +0200 Subject: [PATCH 04/10] IPTunnel: Compute inner wire length based on cap_len differences. --- src/packet_analysis/protocol/iptunnel/IPTunnel.cc | 14 +++++++++++--- src/packet_analysis/protocol/iptunnel/IPTunnel.h | 4 ++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index f1e44b19a4..4730e13f79 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -172,17 +172,25 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, ui std::unique_ptr build_inner_packet(Packet* outer_pkt, int* encap_index, std::shared_ptr encap_stack, - uint32_t len, const u_char* data, int link_type, - BifEnum::Tunnel::Type tunnel_type, + uint32_t inner_cap_len, const u_char* data, + int link_type, BifEnum::Tunnel::Type tunnel_type, const Tag& analyzer_tag) { auto inner_pkt = std::make_unique(); + assert(outer_pkt->cap_len >= inner_cap_len); + assert(outer_pkt->len >= outer_pkt->cap_len - inner_cap_len); + + // Compute the wire length of the inner packet based on the wire length of + // the outer and the difference in cap len's. + uint32_t consumed_len = outer_pkt->cap_len - inner_cap_len; + uint32_t inner_wire_len = outer_pkt->len - consumed_len; + pkt_timeval ts; ts.tv_sec = static_cast(run_state::current_timestamp); ts.tv_usec = static_cast( (run_state::current_timestamp - static_cast(ts.tv_sec)) * 1000000); - inner_pkt->Init(link_type, &ts, len, len, data); + inner_pkt->Init(link_type, &ts, inner_cap_len, inner_wire_len, data); *encap_index = 0; if ( outer_pkt->session ) diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.h b/src/packet_analysis/protocol/iptunnel/IPTunnel.h index cddd981045..ec91ac605e 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.h +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.h @@ -99,8 +99,8 @@ protected: */ extern std::unique_ptr build_inner_packet(Packet* outer_pkt, int* encap_index, std::shared_ptr encap_stack, - uint32_t len, const u_char* data, int link_type, - BifEnum::Tunnel::Type tunnel_type, + uint32_t inner_cap_len, const u_char* data, + int link_type, BifEnum::Tunnel::Type tunnel_type, const Tag& analyzer_tag); namespace detail From 2b9de839b0948c7de3eb5ed4a397194f96aae6b5 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Mon, 22 May 2023 13:20:52 +0200 Subject: [PATCH 05/10] UDP: Forward any remaining data (also empty) to session-analysis The protocol analyzers are prepared to receive truncated data and this way we give analyzers a chance to look at data. We previously allowed empty data being passed: When len ended up 0 and remaining was 0 too. --- src/packet_analysis/protocol/udp/UDP.cc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc index 046e5a2e32..1200cd2f49 100644 --- a/src/packet_analysis/protocol/udp/UDP.cc +++ b/src/packet_analysis/protocol/udp/UDP.cc @@ -225,9 +225,8 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai // detection has to be used. ForwardPacket(std::min(len, remaining), data, pkt, ntohs(c->RespPort())); - // Also try sending it into session analysis. - if ( remaining >= len ) - adapter->ForwardPacket(len, data, is_orig, -1, ip.get(), remaining); + // Forward any data through session-analysis, too. + adapter->ForwardPacket(remaining, data, is_orig, -1, ip.get(), pkt->cap_len); } bool UDPAnalyzer::ValidateChecksum(const IP_Hdr* ip, const udphdr* up, int len) From 568946ec1822fcf8058f5f90ab3ea8aba08b16f2 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Mon, 22 May 2023 13:54:07 +0200 Subject: [PATCH 06/10] IP: Update packet->len with accumulated fragment size With packet->len representing the wire length and other places relying on it, ensure it's updated for fragments as well. This assumes non-truncated fragments right now. Otherwise we'd need to teach the FragmentReassembler to somehow track this independently but it would be a mess. --- src/packet_analysis/protocol/ip/IP.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc index b875a066da..1803122c27 100644 --- a/src/packet_analysis/protocol/ip/IP.cc +++ b/src/packet_analysis/protocol/ip/IP.cc @@ -205,6 +205,8 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) } packet->cap_len = total_len + hdr_size; + // Assumes reassembled packet has wire length == capture length. + packet->len = packet->cap_len; } } From d9718342ac84f9b3bb2eb625133af661115f7110 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 28 Apr 2023 16:31:12 -0700 Subject: [PATCH 07/10] Add btest to test Geneve->VXLAN->Truncated inner packet --- .../core.tunnels.geneve-vxlan-truncated/conn.log | 13 +++++++++++++ .../tunnel.log | 14 ++++++++++++++ .../tunnels/geneve-vxlan-dns-truncated.pcap | Bin 0 -> 408 bytes .../core/tunnels/geneve-vxlan-truncated.zeek | 8 ++++++++ 4 files changed, 35 insertions(+) create mode 100644 testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log create mode 100644 testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log create mode 100644 testing/btest/Traces/tunnels/geneve-vxlan-dns-truncated.pcap create mode 100644 testing/btest/core/tunnels/geneve-vxlan-truncated.zeek diff --git a/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log new file mode 100644 index 0000000000..da327070c6 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/conn.log @@ -0,0 +1,13 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX C4J4Th3PJpwUYZZ6gc 172.16.11.201 36872 1.1.1.1 53 udp dns 2.000009 54 74 SF T F 0 Dd 1 82 1 102 ClEkJM2Vm5giqnMf4h +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 11803 127.0.0.1 6081 udp geneve 2.000009 300 0 S0 T T 0 D 2 356 0 0 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 26383 127.0.0.1 4789 udp vxlan 2.000009 228 0 S0 T T 0 D 2 284 0 0 CHhAvVGS1DHFjwGM9 +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log new file mode 100644 index 0000000000..58cb917657 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.geneve-vxlan-truncated/tunnel.log @@ -0,0 +1,14 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 11803 127.0.0.1 6081 Tunnel::GENEVE Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 26383 127.0.0.1 4789 Tunnel::VXLAN Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 11803 127.0.0.1 6081 Tunnel::GENEVE Tunnel::CLOSE +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 127.0.0.1 26383 127.0.0.1 4789 Tunnel::VXLAN Tunnel::CLOSE +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/tunnels/geneve-vxlan-dns-truncated.pcap b/testing/btest/Traces/tunnels/geneve-vxlan-dns-truncated.pcap new file mode 100644 index 0000000000000000000000000000000000000000..237704a8af974c836b652b539bcc157c003a5990 GIT binary patch literal 408 zcmca|c+)~A1{MYw*Z^cO0`dP+iwy|TSWjB~Aj1^-Xa)uj1_psiAT=#eHR&)l>HI=l84Bc+fhxdiO4jVOzf|k-v3~Kk z|6o&tJ_98j1kdhYBfx!<5eO!5Fqksf9iRBigHZwOFrZDG$@xX8IhpAhCCthBxj+Gs zgr)$s)da)TfZg9R z{SeIk5SL55(46C11a^Pg1tSNb`!`gA+z#>sgDKDlL0$R3JQ^E-&SV0bh|T>6cp$!D Nuwh_1Zj;V-001xZSo{D0 literal 0 HcmV?d00001 diff --git a/testing/btest/core/tunnels/geneve-vxlan-truncated.zeek b/testing/btest/core/tunnels/geneve-vxlan-truncated.zeek new file mode 100644 index 0000000000..ff1e2b3ae1 --- /dev/null +++ b/testing/btest/core/tunnels/geneve-vxlan-truncated.zeek @@ -0,0 +1,8 @@ +# @TEST-DOC: Tests truncated packets tunneled via VXLAN inside GENEVE +# @TEST-EXEC: zeek -b -r $TRACES/tunnels/geneve-vxlan-dns-truncated.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +@load base/frameworks/tunnels +@load base/protocols/conn +@load base/protocols/dns From a41dfb28d5c464d2369c721326bba608cf9b7571 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 24 May 2023 16:28:32 +0200 Subject: [PATCH 08/10] Add regression test using pcap from GH-2683 --- .../Baseline/core.tunnels.geneve-47101/conn.log | 12 ++++++++++++ .../core.tunnels.geneve-47101/tunnel.log | 12 ++++++++++++ testing/btest/Traces/tunnels/geneve-47101.pcap | Bin 0 -> 27100 bytes testing/btest/core/tunnels/geneve-47101.zeek | 8 ++++++++ 4 files changed, 32 insertions(+) create mode 100644 testing/btest/Baseline/core.tunnels.geneve-47101/conn.log create mode 100644 testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log create mode 100644 testing/btest/Traces/tunnels/geneve-47101.pcap create mode 100644 testing/btest/core/tunnels/geneve-47101.zeek diff --git a/testing/btest/Baseline/core.tunnels.geneve-47101/conn.log b/testing/btest/Baseline/core.tunnels.geneve-47101/conn.log new file mode 100644 index 0000000000..4f1b0c13ed --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.geneve-47101/conn.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 47101 127.0.0.1 6081 udp geneve 1.025005 25684 0 S0 T T 0 D 24 26356 0 0 - +XXXXXXXXXX.XXXXXX ClEkJM2Vm5giqnMf4h 192.168.0.107 45474 145.40.68.75 443 tcp ssl 1.024744 781 23111 SF T F 0 ShADadFf 15 1569 9 23587 CHhAvVGS1DHFjwGM9 +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log b/testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log new file mode 100644 index 0000000000..06848a4135 --- /dev/null +++ b/testing/btest/Baseline/core.tunnels.geneve-47101/tunnel.log @@ -0,0 +1,12 @@ +### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path tunnel +#open XXXX-XX-XX-XX-XX-XX +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p tunnel_type action +#types time string addr port addr port enum enum +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 47101 127.0.0.1 6081 Tunnel::GENEVE Tunnel::DISCOVER +XXXXXXXXXX.XXXXXX CHhAvVGS1DHFjwGM9 127.0.0.1 47101 127.0.0.1 6081 Tunnel::GENEVE Tunnel::CLOSE +#close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/Traces/tunnels/geneve-47101.pcap b/testing/btest/Traces/tunnels/geneve-47101.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0bf57934b00f48ef3f8992067c51e8b105fa34b0 GIT binary patch literal 27100 zcmdS9bx@qk7PmWtySux~;1D3VySoMV;1b*k?(PJaV8Pvk2A2SVpn+h)A@B{^XP=Y3 zk9>7+-G6RZb=CAt&-*^Ty4P>5S?|pC*B3wlpaB1BPyir!AimITs=EaT@BzPm?!PxU zfCK>Gu(K`<5JuO`^#=fe&%OC4ZZAOhd7im804))~E9N`m8LNEgB(*W{>l*?R%EAC4 z7^9t@GJtIYow!_GA+S9p`*h;@JNXcIryG0#00b0tBNPN20)=-p()0U3NJ!XcmXrU@ zvhj;0=fAQ1LGcICA1nZXFn|N5j_aA@nFrWjSNK@{W(>?TnUCQ_7EAPtCHk4gM(RrR znFq`Q_snAQ6%ODEW_#|xw_jJb*!l8{rT8x_s?YQOi(NP+RDRjz=x=tJ1oMmspaHKK z=fHLV{;~CoqE-1mIWyI|GF6&gL_N`d{`2LhHXXK=4VZJ~J5X{znEp;8ly% zKN<3$8E_zh5a5FXe1L@9D8{(cpKM9e>1y75PZYdk5oL3>X`t@zp!idFCQG4(>}84e z`HR}KT#=D1^(A3s%uYuoMD}y0f)gWy?=)QXj)0e#5SWmdz#gU^5Fl^7e7tPDqKC1E z6_DFQ)k6oc?V;?U1z7eV^k4z_dfB600nh*_03--2b~r0n*Vn9UENlQA z@Fj4;oekWP0U!Vi6eKhx3?v*Z92^`x90D97926Wh91Ii?8VCbE2@sHA3jiS@ARwS1 zpdnx&0E_^5I7leS=TCqDW&i{b2k@SJ0@l6-yCy1B>Q|e z01e>IAo#~Y1RugBuv6wgGxR<)Ac7qd+<$M+4vA>7^YxiQuHbhD#NQn9?+l2XF=@{X zcqRXhp`iMo49m|9IFOJ4JFqiaK|(rwDMNU3WZlN*#R%P8sa&x?3I)_{MWUo`M5 z_8x9ETd4Pb4EN|{g>p~{sVCwAk+V#&# zkeCpv93T>0WOjBoHa2cHUJyG6k1lw~0lpCDuOYWCh>VQ{MD%l6v z^WS_C6a=LB9RvssfD8hn0>JMhKm>u^Wi){-&!fSLU-aB*Re7DDt?ShctDe4r1+^t@ z%QXU$#f`)Z6_FnwmNfa&y1kR=C-=Emuqww`R?>&oJgIZ14r6JYBTldQRMe9D(`wN( zSI0gLf4nBPLT3yu2oHrFRtm`!mMEVxnOAZ;TS{_gmn$?0k1QmkDxP)y^2v(PcQ`Tg z3|%`^K)z5|ua?-`c$m-cNJHs(rFxU^%UjPDA?%axC;_cFU4|v?q@rZ~%*fAjUvJ5W^r8uq}yEfxssyC`btCd=T;T zm>TMNuizMAfY8vekidVwf&d{se~kG&9RdXSV=@X94iuK;l8l<3r)HkFrxd>S{Iq1l zz*;eg^m#HR6dnjC01Jzy0k>IObF4-gUU-+ZHYWf9xi2Tnn2pER_ zESWD@S)Dmp99itl!Dr=JX+aeKoB|Ps^RFq^|C+)I3e0@IF*;OWA}BB}=szEmAPf@+ zGiOI@v)_(R5Q?R>>+fTPe@T20nw_iD&F#!xTz;SRw@?9+ ze`X_tk^qT;;9y`Z1ChY`4&s491REO)7_Lg9p(m?>w%7 zTw?e@>hFyiU~LHroYCI}JclkRkOTx7>&JXVZAeNikn;KQ}`!_CpuHB8nOi)i02>w7mH zhsDL36oNc}4B-2Am^5wB9bw z0M=KG?^mH2YOaW(krQzfZ;R)-D+NC!CEqomwA}mM2)VV_G*K)BRX|>2VteG63e+T3 zE^V{w2d#b|N!1-4vaoPivUmIx6W^)sSJ`Vmk3&02`v9SjQLKRO4xuz#sp2teEmjmF zmMoMC!|4=x^p>Wl^J^u0D&aBt4}!)0H~j1TbE;nWn9=t6?d;wq-ECT$565L)`8GC# zv~BM=W|{4;b|oUP4e)}l3_PI&I#p271O{qW^5|wOHqL@$?P6_v-J6pkoIMO!WV>GH zOlWAGYk3g!+^NbMsyFtf#v67m5#K@M%EWwRDP^@(~oazu&4}x zCIBlo4%o{d|4?jnKmsG2>=Y7SsoK>73w5cH?%&J?QuNRPGdFc}ws!R*Q#E%nH*q$#B9n4BOU*$b zJ`gA9S9?}-E)X9Z7aRBUSoi-`g!sSddpiU+-S}00@+>OGQH(}n|4q0lk zbrA`>dXlNA!|!;U8Zh^Wsy4GuR=4>jR3%c&d(|d6M^ulSYQD#<8^7Lqr(XHN9wqIa zFsCi!Y=_061*gxQZB(2VeZ~z4*PzYW@jh^{dL~R;5O;VFzWt2xI_z`rij%>dfVSBV@o%ShBLhDLj7H}rxy_)q~1MY;(bep_YlfayPX2=T$a4X#i}(ee#&S_%K5BT z3iBu(N?c%FL+#d%Ij#zM`CX+TY8Cq*`VNExM?9#%>N_y(Kj}NfpIQS61Yta@(=UC8 z1Hpi09s>Bg%Kt|Z|6S$18g+KxeAw9rx&**Qj1XvF9b`Fx*#EpfSmkLzRR2-JJ=s|P zBH_;mkC+sS3Cwx3}nt94TU+-#($%d1Bz)?OURFtMHGItp!bpIDrJRfp`m zX)E~+22FC3Rz9&gR4)QW4H~joS^*xZ-FbK`bhupzIa^K8<$Y`A zNF=V{ru+^s%2g+0XKEnU;ryx~S*f4S?ADF;tzL`t#G}3v4*esE24(FC`umt~K1uPo ztUs#?;iV*nP7mHUKhY^zu|MbFQaf;fAXvb!{`VXl)^%t5IR{rt{5=PUHGZD=$B*K_ z=isoSF&V-DP8h<}zvkd!fBX)>1Gwk3|1}3+urwsGE=p>-%!y(}oKY1kab(vrS6~m^ z;8hDX@H4QW|JJg$ozgVXq=_LqF`zg^%`2{Ke>4fuz&Bc{W%#no+7li#h3lbAWTuuECF%}ac)BYp7W&^RYgV^}kI6)lGddvyp z;{dVo{u=&&9{_?N{yiCocuvM4z{xn+53Bd7TrRM9eq`k`YS9secYSW&;Ej)V5ZKkq z_q=xND}21Pakv5~(XFmqh1rQGeW)}2iG^X?O*-?9EsNam6Nf;X^yQk@MnlUJ#u<60 zT<_a3Cu>;?3%fW!f!E#D^b{~ZwtIF1YPRI!nlt>8A@gRX(tI+cDb@CQYm^WigIPYw zXhjFOepq3h=8bs+`I?;2?HnX<7gw{kVp@5Kqtq9RF6TFexc}7T!E#amM)r$51~t;_ z7)bj3O*N_`%;jVJZnOs3Xrag=6P5LP=AEl0idz|BZ~PA@z66aM&DUc0Ns znXEK}(`cJ0>&s}dIQPxhW!J+y5U}ZS+;Ay-TRf@A+-|w|D9&}nSsjqKGSEwbYtW4h z3nB+qK=%{`)TNF2P7G2mRytg}ne^T=cry++B`(F|$5+wm^#|CI)l>@7gjSD*XI|eCY~HDuX#-W^7CY% zw66FKlhfVmrd+(+(*U+{Xe1g){g2q90FwJHwg~+-wtzq^e=>kmb&B6o_2+vrgTvL| zQ+9#ptCB)-fxvE;&zjF1#`x!#obCR`4fbADB_(w+5p51JRe2UuXS?5ia{b3x`}a@> z&VvzL0CuSkPbjL>HEYp(x-iwOWnbgEM-d>gmHT$=MB5#+E*h2k#3SI`#t&h$uwFTM zt{>61@#$X{7C2}ozeZE5Yu~P&F6?In&ZS-ql5ug|E}3wDaf)edX{rd4Na;B*r=;6k zC>XPZTgew=svt}v9bLbyv^K!J)C<$5_^6<<{o2yLPis(;Ph{$?cCfa6#-r9gH_9mr zWyQ~kwCS(2yZyEMqkrpCT!j2 z8kOk1k&{mZu-LUbEGiTC=Rc6jd|Z)iHR>7BhhjY}(Y-;(pyBK_7(Lc~61GJ>4M3)) zhO-m5g1Qf`J7JN$GRGQ>)b-zeS9B%O>*vJTTHtVpC`&Y2qMhli37VNmOGP!ceJK-; zZ~x;1v~c&(4_Cx*y~*uoKfSSDk@w_3*&K_6y?EKq>1iH&F1QZdthMjt)^Zn!fh^s^ z%WR958;g%~X&5=`J0h{*eSsm@Xtg1&id|lxPE&R=($yQ2SM;{`S`r@%ijyb)Y=BOnpg7@kc}kSH#-E)w$(o2BY2o$*}v2;V)(C z{|kfqFNTAEX9#;Pm7fro{X4_@|7O_x#qifh2mjj+8owC!|D7TF*$xMIEdS1+yZ1ls zu>Xr8`~SgSX#Qf@`*((z6)?jtPSL+J%z+us!Dr*S|K5H*w%Fb|_{Bi{7l!HQdH?0H zMZJX9F9xgs$bbjDlmb`M|MA$O>-ju9A5KX$06-M%>lV4=#BD+o8aw$Hjkz&N@H8`A z`)HPJ)~s4?yz&|1Hl=HmdN-QW{c5;_ynD^gArxJ#9iQ)g7ch3A&$MK}Vu3FO1U_Go z?#&x?KfQ)Tw8*0%x{6I9OOthF8&ReBqqU(=7a`&%^)w%!2G()f3MIg&QAZFSPzqkr zbN{{lvOvbJ@GlFX|HT5K&-4Csjta1h$$HLFDIEWrqsFX+WdBeJ0OzPKgMU~6y!szt zuju*>`!gC;iuv{tfQ%_>*f!jBJ~#G`(d7jTjhizh2_`eO^yH20JK`LFjA!f{F!lx* zz}KL*=nL7C8XCapund+_<@CbX>5V zE&gF=be1oDq>xtJX=jpfYVNKK0>A}zhtF~W0!`y7dP){63& ziPCYD5;z;T+0iCUMhOqaZ3)4beYTfAty?Blyx5}8%LNI+ z16+B))qHUOy*)3N$6{CPdAXz_zb}_Z^?BZZ-X$K+nC$0WI?Vs;F2y2)cd6s~iNeG` ztNGXP;9Z&nFIO1vANvC=CWs+{rc{t?eoy6q6Y1L0TPk6Hw-O^#%!E3+bRUvN%6GK@`)lDU&EPJ6o_4D$O==kmpxx{2XYH_@9_|uM8qfsk?TUN(c7`X6D2{V%n zC^e?DM)#%F(rA^;YRZ#XUp2{stC$$g?!43s!c2I!b|sYB)dgF z>NrZ6dj(Ah&&KL}Fhm1`7n#E)G&UK*zoP{D$=ucI#i!*nf=K_)J2DJ7&H;mcXN$3_ z=)_NNLi9Ku4$KYBkPB~;DLkrD^zohfc$FD2AIN=H)AlL$@w+>C0;hc)^=WQxu`Lw* zdmEy-+gdw!rPxU;`YJY+-l%R=XA0Q!G~=T(n7u>#x<)z17U0o8!`sxxyZ{uXPF$xy zVI5@=yd7lWpuq+X3UB09g|KSO#IuA#R}F>M)3}(!!6jyPteTE@_2j(1aA{^>!}Z*> z2`(BbobFsG4UMD@R8@Wyf8}VR7B)o7k=5lTJhp&D*O2J`F9pW)>gQA82z39SpP->h+*kc{+ z{A8#nuMxZ(o7p>t*RPf|%di)qc|)Y>&ri^SR3>E#quIP#=kSPyH<@`8O67)R^$jw} z+$U6Kxy(E>+AmY6+&;J7c&1kv=}vk`#0!^?vZqa5KT+q#x&u-4fjJ5l5hHV-drDa{ zo8<*@QqqZQm(!~*!h3fun6>MUK8P?xy)WiG!#g0B{^ap4tmK>$4*U z#1bn$jfJRIXy5(`WBlPZ6RCdC!3~Gs+E+b9$9L8%p%Dq6%WnhGlwiNUP$5`cO{OXI z3|hT;45}=t$+`bAStXSZ=PC1nwl7!e=<~70#2aMEW74#@4P5F(+nO!#IL)c01}z1i z@)eQ%iBlON)yF(cdT&kA93(*!%-P}xZ60e6n9TlPl3Y1+H!Q7lT>HIP2HD8=yj0QK zU2pV%?7AMhcfl$`u_;fYkYpAxeIjG|I7vntJIoskWulkj^+~z8a(O>k{Jds}wDqF8 zxz$njTOc$tHeKDyQ?H9}?hKPDC)0fobh&d+5!ILOkYi<^^re0r{TlLm*HE=^njDw# z5w#AARiq-V;NZ}X;4n`eqxbSpzI3vW-D617Bfhw=99);~I9!BxvSSIh-!k{cC<^Hk zePC)Bn8d9LoTepNj_#olzLAn`{fTY*VriE>Rap>E-u+M*3N$xF1K&SoK;nW*Cj-V+5 zF4(ed;fHe#RGO>n;?pZjrUwb+y^r!rim9hRfof4Z)XtT%8Mv((Wq5_MlFHmtpnddw2*XkI5{s@dP zrg6c{y)CNR#9`XpGsB~~gqiE~)2JNM8s0~)PVq>kTWsQvv?gx&r*ZN@-o}hp-%g(@ z-5T9k;{9Yz^1>ypQ_dGRv;pf*iQ}ELgYWeg!cS*$fGo-}}D?Gxbz6bWa z+QwkMuUuU{s&FH(a@Y5=CTk8HrQ%7v#cwGJ;5${Ezu4J)D6K~tZY%e#C?HFT^D4-= z1SEf?A&QhLMJt^+tD{GvfwP>9^VKB>NM=xiscM`}hNzueytx?<){$1(BX9hdq}9B3)m7RUY*-f@jtjd;0rnAf$iRkaIEuc^Q5xLu ztM}N6?FFDm^AyroCj|kcEp&J}=xT-O*&Qot2D&+3BP~H2TnZm7g@w6xe&9pBD95bP zW5=u#nPd~9*G}G+Hr`0NwDDFC95=#hBNIHvCFrRqHw`&dNMJ-hU|DrCumPU2?TExg?WpV^sxlV`bd-Hpilp>X1fUh7xR=WR_nL212=4 zfjkGS%hmMz5mQgDUO(%#^O00u!5xk0-S~WnpmHAb1y|06%o8lF33sGJ3>J3u)+qSd z3STM{n0g7+1*o7Gw20&wC-A>y2s#lbYnN$OIreV%O7WP>>V2OeDd=W+B9ZHXq!{|v z?e?ds*XIk!wPVsjV#vI@QL$+*)LV*oj|Z>Nm9XZMOYNc`vmcP%XYVNE4&zW^#?U;0 zPgF@4FH8g0_%=4Z#1?5pzhIL18Vu{Eh30eh^Qj@udtk-xMDD-ySH@;uBI%?}-lV{M zQCZS{ceI->+PsPBiHe-qVQ1g?4n^x_j$qkN#>cxByS_mw>}}$Xf@7Tby(qfO8`A8- zx#mewtNZ7aDv_BcGT7st&_7hID6l0D+ViarGLo%pGAK6q6eHL4e@KSJX$2OHV5WQu zaCj|fH*&&4;pyrsl8rYbde_ZyA&BViyt;Ql$ltk`&p$++omKOt^6K5~z@VnhKu58d zXoY3;qa^Nir9x4_(&W=(^a3Q4IocN4OBL)EvEntX=C4<+;gJKTQM67Td~ijmx2;W1 zHbUkrKagYYll#{bB@x0Bg`BwMg{VJY`%3V0^_tQ1A`G*&|`X5=^!r%*QCN>4;QxiXBm4PtoY9~G6{uSV#9@znu^D0RkE&pArP z*{>kSS!CLq;D_;xBn|GvsF?!j?2PQHi`^fXQR};w95e&o^D3;|`;lk2)zS@;$N&K~ zzFyvoj0#nHS@!;1TZ<<3&={V2b&(z8)1-6I^t&HBRF2eUs{Lqv99g};#uVgE9_AnqH zy`gt%DY>gp5_NE`Z@NZuF+}N7q0?fyXz20{sqMDdp#GwZ5gYqec=GK2O`k2Ggq? z2a#*x*-o%EnK2ZEoB5xw(Hq7&lX2OXJ%>7PdV4&wlPKZMEZypDRFb39ig z?O<3(tqk&xROi#C+edbKvvayYCJ}7IrEkP|bqd8}y(1lHn?b(T2ry@B!H6@TdA=KL zjHJYI$vPuuMi}e4FakGb**^2nMK`9>W+l;|4&+m?Tn;4}TqN|64>-o8pj&S&i1365 z^ou5xh{Afq4%Z!c>hWtJfQ<4EOIk!@A+qJbk4tmH2U{}br&1pO;*}^{G zFApDY=$HkGv)gY{uu`B;AvJtd7V;4ZNe)+)T^g6h=<@u;>B_Co8Rrh6Sv^fu@LHM- zkW0&^%aYA^`c0xVvW7wMKs^OusQn2vYBbgdEgLHc)niz=ujVKz2_w;Pa_>zId!5wV zEF^Lv5l=g+ADvA?q`yUScdG#__u`Gr+ge71ybb55SBWH`fYC>$E8}o|>7~AN0@rS5 z%-*=fz<$&npa++(G(xS`c3ECnJnw>{R!r3rhwrGNKmDG8(gvY-sL=PAh94n8m09V)2yr*Rw0BTyX@VAq;Pet<3#j%m~`tZg0ZX#+xP`560i z3qy(KmcvAnGkuMe%dV;3=dml97{tG{uh9;-P|3O)*+*v}-k{k!#)vHjFRbb zRxK=I=DVKYbWZv4XMB%=2*aJ1WcQ>J!#|AZ8iH;n--J6YKaRv9z6<;Qo#*B{#+tUw zPZ}NJ?NykFg#Nv7S0O%$VsuSfgwD$kJe)~d5|a{-m+&o--p%M5oz@!p?mgB>bItCp0`U-%e7y}% z^`)i4bbY5U_x>h)n+8JX)Amnv9blUk&*?!$Vm+Sq;=aIWA5vELdoty|Q-i~_+mUE- zAG2!({>^~C_e>qjZZr1}Y>9BASNYO$iWiEV*|bs9)Zx=BvWQD6PTeW<*S4gu*}hY- z9JMqIAqq0P*qxd2-TK4TPwIM3oIowCm~h0-Cwx|;m354yT3lcKBx*DM_?>BB!F zQ04sXih=*UEyN<0ZHe!=$K?*{4L0n&MrWX#?vDR_QX6PN545;yjxd7AE4;cy_qN z2&*^9GM-#!h zbA(shO@b-o*nCvC{#!r5ZSM~jvjG@oq2u*VLn_V8nae7cD!rWDykY82-Cn~a=U7QJ z!4K)K*BsGm_89E}?|O3?i1>TOmhpS12(AqiQ3TQF@jQDK%jqf=p-nuFggi^coFLLq z$v=H~8~-(Te50@-30^DZvF9a>XAE1^j1Q)gsGc8Nb?a0|cEcydakk1;$O{%LIOBKQj|Fu{J7LMY%NBtTipY z%3qF*hsEI8wRKs0`q``MrToNX&#SXh#JFNETYhR_hiJJ*Uermx61OofGd0RHngvJ+V=v`#v*LA}8@If%L&3XBjt%&Ywi<-7sPO zL7j~BBO!O&C~(75RDqG`1vdd&Z5UZT3M+es$#!q2CqMkF6%t@fQrfo&c>&&OzAHlQ z3bK?GBpes3ErY4GEHA!3X3IcJq-`Pf)S*u)W!DkHlHcUk7?G+^g;a3*I^kQ{ee1r` z6Um?5R8hfsGQyUbW3re=7B&T!Sl_9(Nzw6b6J>l^P1XnhJ8>wVJsh^?Re6VOm~~k= zcZ0<~0KzEHKV$AZ@?DWBUYixHoxM z4uw{8^1c*Ior%!uN(P=lIVOiE4&i+dM1y1ri(wf1sVHM6^0}SLm}6VAf$F0{Pug4l z_nLSpnV}Ph2|w>nN2UG5uvS7TcnLE-XppAYYPX?=NuP?Pk)&B87YD*Tv|kb3ou9fi z=L0zyua7@wV|XoJp+>dh+gm3|W>)VVhP)VC{qe@2dc?nWX5)qK;uQZ$wl5u~8_}>E zOl8op3H3nf;)~e;90?ZpnB;kW4)r`mURN`yTl{gy9L1CGlia?BbOF_UEh=g^FiBc` zyP=-_o_h02q0FtkmyQjIF75!~NaiHLsM|5C_H*L>1~@2o2?BJSpvL8`D4{~M!-|1d z?KCldtMPW_)!cX)gJ!$6I-B%N3a_R=&CqtmP%;me7mwS1aPqd_kU^OI;FbjELIT=I zU44831xt^@(FmuXa-E#bN>~Tv*~Hck?jLw8m*D5Kr}CXbU1^k3sW8geFMH8wn=?A(ODy9sq#O&9 zIIdqzB`X)Ttam9}l}1IfyQanwDSZ2WsXxSDY7m7<(uO(NVzz$-8p3Kl$#IN+1pl>U z(xF~Y`SRn4hMK?o4WEZ?r>aIZOoquFt=dtcZ1wuGD1h)$=X6XiZ) zggvWbFC#Cpb%N4WXirgG+YNhasZ*JUt?HDOH)le=jP|n>;-V0|5395Z4~se9nd_(G z=&vYQdqjlB#sTA+UGI*AlJjdpG{7{Q4av zMt94%sUu+MM$CyP1KAF4!0-ArA|d4Tw`Rogc=l=2l%39Oc#5 zLCnz5=#L0lSBv7&j#J-VzG~YH3T&9wiEc7~llYw0nP?o#rTwY@`oK(MbfCIp!LtbG zYNG-O9yxt;uZ7^U4<=MMzlaqFo=_`cy}N_{~Hf zHB+|wRf^(?q8()N4%J>I^9^hFkr|Vo8M@3kAL(7M{d~XQ8TbhE`F3Jo90! zU4|peK0gv)wcv(GJCZ^($232Lvc(AA4Z@Et(sQ# z?Gs!>zQCRxyrx%XwK=7hz?NRV+76Gq>N$AXgC#!$6&@1D7(JX^eN9;e%Q4Dc9o*<= zgF}&atg_q;qoqW3Olc%H;9aS@FG8Yzf6Y@a?YNgGfd@Ht;{PdLYP&Pzi}0f)3=I4F zuuwOOU=07Mue2F{6)hnJ>;LZb0)=GV`{0z}i@H^IfOo@boY3zW#q zz?V-Jw{7K{Y1PphId#y4omw`8%zG%03QVH%Z{4;G$WkNY^xG-2IqNXVR*P5R76Te# z#WObyc>PH7D#mR18ColcRZwEj8zt_v>M@;&@}a-cR!=2h6)I6l2f$%ApI4y*E0&-b z9$8nAj=scj-X4IU738WZ1rCZV*JaneMI{@Zi{4ETyw@g3+|%cLIA7Al1}$M`D#Hy> z*WtW{L2z{=mf)^+52!F-DC&}XbX(X7W*;{-Bx>mKnISLIyeDf#n$|^Am9#8@UD?Nl zH+FV9o5VV3ZYK*#tZ5kfq)_o9{Yx=UkNhUy3E&DjwUi~t!3@uYqR6iz(`3LrC~kPY zD(Tcm_-5EqT~sHR25(|;sZY{@lYBvG`0?k*1?@s81gZ6YsKXpzH&@39O=JA#9ekcw z3CjuQejF+TFIZWA4stDBDRkkeyS(Qk*O-l`zoR&;DuwYk8=VV$NfXT4u2K3m@kV~A z-0*A6dWNJc3|*qFONwuzo;@G@)a66E$J!j*hmYFIjwBU{@-ag09pc*b8_1|X)I`@7 zLKZ`}5ZXJtGQLIc6h)_T`ld9bc=&8gB^)yE)ti&V4QdTLjcKsT7GD!gLj&C(^looM z>SuW-7v2t|cIFSyp>_ORD}*B5Y@D%kR1=p|LT+-NDL!;RQH_lK+$@IvMd@OvD)sPA zxS727`{#_XSEq!scD^~DPzT1l$qF+BVnRJPLLNWbsx;r*Akgaz<;qSbDhY8&&RG&I zzbj{nD90JDkid*^G!dkZdsFDtLY-}1dH{DKxEb$Tm1OIkbarO2>h=R+0QL(lv{7IF z@MK7&b3HSMKYoZjb3Z>}QVKf5dv?_hp&JhRz2H&dd5bfj0$9P`W?vGhGt3ZuCDZ-v2~$gT94y_L&}fx^kO6Vv8v|k}lz)psDbLYhdf8nD zYop9UGKtxpajSYvmF@kmq6`EL0z<-10p*KNd+D6@D^5eE*liyAG@54LawB3xbbm)33K`*0M)p17#sw zTZ||ls^qx)y`|b0#m!K|*i!xIax;?YJb5T+W}I8GhyCWiNzmY)$)|Dhkwt|#Q0P1y zjL^kg$usZi2@6k%S1#!MtYM75h{L9r z-BC7bZ@>5K?1HK)NQ_{P!_AiF*c!oe ztK)m!@Yz}qPNtNkt;P+9YymLw;Mnnz*Z43l*`FrJOYJP`R^uA#>WN z$(|a1of$8PyAXyM>>5tdbV$ZIPkRm^*B$=i%P2a6<`QN?WEa?C{cZi=P;vbo4nzAp z1YdQxt)WTjKvr_pdV#KqAU~U{kf|`A)+N^$Uj%XKaZL$8Jm;jtg+1Z1lS21C1^8qk zj$6POL>yV+)kzvL_622> zRC4T?ZKF6^Lwzzy8istT<2d^+=3ET4IrpSccH0X?+Ej3w?~M3JK#yDN@%ZpEaBMkK zIxHl1{ti+De+eVL)tl>*Z(hAA0)>(Hc(D+O>ub6E5Y}oj_%7zh&%Cums&`gp&Szp; zJASXrgWtsV7q-G^^q{#rD6i3bS-dH}?lvpMFuk0bnIw~v`t;Q5k3>X3Tg8g0!6n%b zp}dDPcXJQ>BJYthxWjVM?!sO!z<+Vrc^Al+$=&t2-0nWAF_+(TX^lg-6PNVHNmY0~ z=yZvJ$+OaGC_^?U;Z1u*DtzzgyZc4_52>2H<>2f##d_5 z?p+#iOU}RnJpu)h)e?hH|azE?%SzV1brS+N|9YV7Eo|m`nKSdY}YmH60-L= z(@Q%Iockp%3AojQq^`DWRqosonA^r0RjIqE%p6%2o3D`knwMoi_x7Xlbp6%c4EErv zwwV!_AeNiv8xC%+JTFQzR*PZx-d20n^7x8ieRvQAQM>3b)L!*O*3%YOzBnF<=44_}`pBS!acy`xy}7tD z(%^@TXE5eE#Ecz;vL1GylECCA8`zDvwlG-cM6hM@yFoU0L0lJrBpQ^8z^T#9)Q<0C z;f?v-o|T$OoBNx`QDx*G{Mq{9TTwovmooxlYPo~A26Uft9*4%msAfcu9FWKrjaie4 z>R=QVH~knG81s>9TP;OWk5ju13pay#X2OOTG8oX1>l~2F1VSg)UGuMhj&Ngk&% zd?diaz6s@zD&(^0QQ@9|v9arjODn~xSPIu*Ccm$;iDFj0MW<*xJtLV{zpgTAbu##3 z=qR^`Z@+RPM|;6PxBQsc*&Y*@1&M8U{AsQ(QrgWY$f{V4kmz&dCo(}-O)tH#*KSeZ zTjNun8-2NZ7 zw}a5LPq@XqBeIj?L)|D8SA%(`L)}q;X?kBPc$x+a9NhH0FX@SJLy5M!#M(x6b81hn zcaF?Hq(mhislBA@Z%8>%`W%oc zkNn_75o(6^R)j*{mdH<(S;AFiw})52Q;$yC$*^`2LM)DxviZAdS=VYJhWgNh&n5$m zW%tKK)`suw>V@vmD|)y4@Ar#1NdPT6I(M%e6bN{cc0&M$j*@%_QBkIuL~{PjushRx zC&BZZ(Cf#j_SOtd`?ODvl`k83Imo&Azi!%?c=$@`(=vZBfOeU-Om)#wv1N@Bt33=0 zcA`QT*qL41pUPF~N=KVqnS_R&qpl9W+&n8j8`($j64gX5St)Ng$^44v;eY5Rp#KP& zDOhsG3qPa7LigEl-8y;~Ic*&yj!&_Llmo=~vr398fV`gVJJo3H)$LyVyEKcBMQSsl z0-n(jchl@eTbV#?mct8Ry;=GShLM9f>mFM_M0}5)24`BEJDeI(Wq23XTF>GDppZ02 z)BDQo&D)&-sfoQJo?F}R2Ezy(m`m+tgNKH{T-u>cU zR1=C*?pC0Xc%yeVq+O?CuUS%bMMcatZ2xVYx40TM!yE*;}c5hmm(cB7O zQJplCy}T^!Q~6ZsJ+ES5~l1quW%D zV6$!4!zGoCs#f38I@+F_zMxXo2^^Yu7|l%!ecJ#+;>-&p>IqG=w-Qg-j-7k~JuyiB z2h@ky1X~|$(r}DzkeOrvU0-;uBRt)OQ1w}VjGd#ezWEH?`$_K7;<6+) ze0kE7mbbyW5|hF;c*D4Johr*R-dAMoU#o}#cle0PJd{UfZtCYb#DM_sb`|}39K{TJ zJhPWvR;2$-T>pni1=HC+4HS&Kk>;1q`RH*=`8yvsSXoL#d|^mQ?J9-~MH6R-sw>9= zl2K{$>6J?=1KI%B!h)CArwDH%Mzts)NV%#ha}{VZmrU3cUXhzTu{K;_)ijpuhWfHP z@1y0{OJHuf4BgsYOU=;|3CZ_WdJcmyB zUg2<@-4;L6)=e+;y~iMwK6t2U(f5t3pK&`SlXLzO%LXzLu_n7ryzliGdwJG*GpBaC zOv-o#g2hYfW1LO|jPg__ypD@HkdwFXR)q;7NmkRBmSi=?-SS4Qh8eG2Z*MA}qLqgF z@-CbCRazv>x6pfRdX(G51R{ECQ)4}+a^jg4q~6!@>rLT-;fAU@D-BAzW>8JrVzUTY zj8jo$MkDvB%9}IbXP4F>Pc$MaU`3MRm;zG+RaI03^Bvj0~b-WQ~ZR;9ENI6sJKJD4}{Zl{?-<=CmTq zJy@9p#)$lx?(E+N4TaFiSE79azQM4)itGBW`<~&esGpvb^VKzB%m-4moDEeEv29A8 zS!<1V8gz)AR;bbZKO&Rwtopu5)F*Eq((@w*nan2}wZ5{v94{%)_|{P)Jv}M~ zYc!_t2GPRP@Z|{^)yZ1by=AM_WQ=Tq2(PovB+wl$Ys! zbWe3Cb)f~j(Un^%1RU=&-vvb5N7n?d%-zp2Ym+2T&Let!SekI=!6~Wy)^|ow9XfO5 z`76}pZCx2^^FOhy)n9qU205|3RowEDYZ4>snN5$RGT=4F*U^vAFH~)O(-z>m*jFrq zxqK&H@H(--{u63LPFXhVMO8mR2B7G2pY~!T`?cA&cPXmf7y7g|4HMMo-CkT-oVR{Wk^>&H-m z5nJF#&3<@Y*v$SFX4t%ClW!!xW={IZK`rk3n}$#}x-+b7KNZ2h3P>B{TqnM%Y|00S zVLqaxeAo|+c?qShDa|Ee3cBg@*h$=AY-6+Clsidir%rUPetDaGeMx87+G=LnI5TH{ zStx<1&t4bWN2=bV{H4z~plDrosJ92J9yvb$m6~aTw@*NpegrOdnFuoVC8UtOg6C0- z`e%KsW_v?c>Q)pF@Vjn}9UJ6IOS6FGOc2WEsUOwS_ z#JT`@wQV&3w0{Ls6a8VnyI0}FNYR(kfV+S<~Yofqm6mRekHXomh9<_sgmS0{-2 zuOHd5yc%0QNF*(G(4qp}tut(6)xDK(!;xRNPj;|#Gr-dnd8hG>$+@L(5hHQw+$>{= zjYl!R8-t?G6%W*0Z+k4$DN6CCrg#HlN*V9^oC8-{@~Vmd)HzX2!Qf$+J-|rU@_WHD zPO6d)g86(7bkWn)r|zy9@iq^}BeX4aax34jAdig_2y}wldkH}u>qI}xR|+O1YDZ6L zKi7r9PxAF1dXC2T`S0pV^o)CC+GlFNbq~Yb(U&5o5uhb>Z35o0Lk`q-gkxhNL{x?A zt89F*h{x_>8BFGd%M#?l7;W4LKPBDm<6337fe|uU>>YlI%I~+oBRhMlI01ibnOo7n zrwxyZ;FG?AUmF%vzPQ?1)+s5q%uXv)A1i)oGHFDC&gk_}>ccOVq0NRsn@hK>RcPyS z1~3lg)Z78Kt~%JFHCDmT7TXULz1dHPc1C-UeycsTg-_&Q&744tpjpEdqeYP{K-A<< zZ;kQ6-7zt%JX+icaZDgcH$uir+{+{XLt}J>WA(n0TupoXV&$?9SMv%U7Qql>Poj## zDjnIQ)OF7qOnMXDIo8wA20l7i_VKOFT$6(&^o_o4F z;zRpVnO^NO$DQ~_8bUm7<-2BXc!h=sQ*LYH7ShTzwpvYfUBNoK^_fEy zzV||T!6X&p`Nkpq;-%^pKw{OE_k|&5Eb{$EPePmDOBg8{t>t2Q47lX;JEBD^By@=g zkHZ<05jewFC}iP}x2g42M9{pr+2^U?N{5FQP}Y!*+9rq?h#t;V_v_uuJ@fMie0tU* zcRHAH5s3tP2@vjZW~-i3l$%>11UF21-hIX0JE4lQ;Yd4lSJq-Mhuac@u?Y3OxWz+L z{~=>p;r3-$XGEohfZM~JZi-Sx<{D*RD6`|i1x>d}C z6aCvh`K&W|(1>${!mBv#PkR=&?Q&~Tk-@QT371A~Dwk@)Dxwthi@6Z2(WSmc#@TnD zIUz;fyzErrkRwp)NZi>ZAxjhQGP|ekKx@FE6e!IUJQ&iK-s0@OYH;7S#BmcnJ<)uj zMNs?JE|gDsdn@G}Q}+P5B@4$2A1+4L9Cy1V7$JO!eay1 zuL9bl60LHY;@KFDr@{!r{BYvOb_ZW&=EZfl!8tB7kH%{WXP7j-6(%}*=Ynhvb+ZRe zH+Ma2g>z;|R1mXCUA9PK#jv@(p9$TY-oAvsZWKE|L9tgnG2N8#0r|1YVn=rU9VSEY zuFT84Qegs|7l!`$xMoy~fJ+ga`v^EhclgGypggMHhn1V#)enN2U4pi3M5OfV`~k>_ z1Blso=E*#}Y-bcsVHX{NSKA{K(OUnfva<||V?neqZh;}VGq}4CFgOGW7TkkFaCZw3 z+%ph@ySoPn4#6eCf(LhZdyw6|b@#sa?$&ly|Ldy$>P-LWI@RBqEFHxpj8|8G}UKdY7B?`xX}hg@9~V#gvZeN=qa)?LZq> zIP2Svqn;C-;l0SRK{k#6+3=`iy_m01GI=z|&Pn;2{GIga94p1^FLFlN5wryv5O#rM zI!|xr3|jHJHlo`Wnw);E!AAnDUAe}q7YoY-{ltg~78^!UX9xY$2#tC=sW$Lajn$LK z$3t8AKLOnL?-%_3hm}LM)l>jw-(urB1+O~o|us9Qm8NN5>m)~-@9B!jBnVt z9{3;_5g3KJk*F=`3xocQ%(e;O&${}9Be5g2+%2G}?+qt1123>T<`FETOz?hbe4`bM zuyf~!OW`?8!X*C^8)G5E#&>EBWa%G1_}mbU_kj`xl$qwkQNSbG}T;4Q-iWgv3cNq5NL=q?4!}5h&Zj36J`Gg|_g~X|^ z9U?<3DOhFhzpb205ydyI72N?zarnKbjbEc5T+YqDOB8;+g1(#H3de11Y??C|C5=M; zeawlpLQ0#Dz!|!%1?X7|8OmD@!6TIMdW~7e*c+kLQPom!uzY{gr483NHCKa0H zqa%DqN*QThVynZWX8ss6CO@Z^9?vK3X$bj>YKN6|NZ`VUSTZ8egc-$Yd*0ntRKp}^ zlg!z}`*ztG&lk#F6z{Rv1pVN2;+sI$q3&V@yIZ$$M;iZa}Evwu`oS! z2EpCcHJ6}L$!~m0qH1g$figle-RGe&8{>_|fhg(JGcQNqit+jjP*$0>v6xLnD+n)$ zrmhRS^LL9-VqSuu@?xENs$97^hav6_@E6;N7;8I3N?H{E7ZTK;lLf7~;rWd!&O8DSXnTpO=%W~-SwFJ^ zJaUkOIebN)3DHSF5YjLlZ4`!A&eUvxz6M#~f}w3+r_9Bx=kymQgvB;f+!w^@a$#Ro zSIXqVh)l9~Zvky`!3u%JZhlkpmXMFlYTWphlRYAu77yOmnvn>(hV~c3bF>Wbr98al zk{hnPmk50OQGrx#+Z(FWS<&eVQA+bSm4MhltMaB@nn8|5{M2c`8ZBj*+MnvW6~E25tF>f8QLMM3WShyArFaJ3u@bO*g#(+$cCq6 z^?^r+`G%uK)B|mO-|4=X(9pGXTTNScu22cGHRm}BBE5{Ju>2yHRa^S2a2#47b~d8E zN!#ft{X6+Ccm5#Ny&Kv!WxZd!QAdwvs2wFCge7o%z57PYN~tviDgvtIy1>gW$RD?V z=G7S_c#RCce}EY(i(D+<4d$utf=qiyi;*lzv62_X-v&7YNM z5Bh>^m=*$uVNjWYeA2==9E&pcnDXp(28rv)7EX}c7ut-Z#JW=yHvgWH7D>93}( z<+vhT6v0}(Y1yGC5mOr=%C7AWcQfp2t!6$$vXj!55dKAo-P;pEm*1$EJL z^~{9&)Z*W^^P#ylEYuQP@#-=XS!9YQV!xi{)a!5* zSG*oQ;3?Vv>%MTaBrWM8v`Uq?gor&L4gJt}OzlG=U?u7t4h6m4y?Z6aK)G3m8T!bk zt}DHa)Od?ChJBFBsQjUIa(3T_?d-XMyE2}@Khr0og1vdOGU*mi`uzBOG7#R>=#By6*x^YSD$8L-RX60c9$h$;+D7v;8W0CK zKj2_eur@&+Kz#+7nC{T5L6viPt2cTbtM9x?a_#l}Bc@LIC-SI4=-`+HVMOFauDC;&vu zL^O{`qBbF2+bEIA3KNtoKas34w=KhzFL`%mNfVL0QFAzbvh10A?xOh)+K1ifpyD28 zWoHdqPM|K!>J#KoqaxanP%iXAT(r98ZdXz96rLKZwXyI38}wNva)>u>a)lf^V!5h~ zD}diXWv&=q&o3(y9LCAb)Xtp8o+msafvxD~^ zyj`u|%Hi5yl*5*XvL3W2U$t#f;Sc3-=iRGI^UudK1BUg6!KRm!ETeIM4g7Mi`eY!vKlLxq?GVFjYvUGfh z=1J6x-ZzGU&nnxc^1vN1-1KVdtC5I+XH%l=Dj7Hl%!yD zbb<3Kq{4ci!Mz(}+9Z;kym98@1GHp&^vQT7PybFjbNe(~aOm1qWD3YLzgF8E+Alpxn`NIeDOg@E&_827%AL~h&WEb-Snd@K_TSIS-|G$0 z%Q>nJE6^}U^4&x6|AcGfk3WFw38$r5vdVUZHG4iu58w7`;VvG#UiPC>XG0E}lww3s zn+WZ|eoJ;z*nVAd&Xs7ykw6)ayLmiw)-Q|Anu8y;YJWpKDlM{a#WI4&vH%v>eT%NT> zpFahMv7I};l`}UQ#|bcQA+<-umO~ON`GT@$iR^?Uj0R`l;`{jd+aT37xwxqb~L82|3fmnooM_ zO^VELA2;*zp$XoI&nbEEzzP@Au}$e)Xja`B&2Ev%#fxuAxMGZ%xi*B94t|ZU-S;FI z9D7aGw;h|7*Q7Q*R0}Ue^|1Pl+I?$-sMt~jA#|J)J%aL6-{>}^BbBhm#3T;=3#INZ ze2L#P#+`g_7<2~C*q{=X#IFQaVbAw>S?6s_94T`a>XI?eRBLG$2BT@lps{b566$&e zzv!7H2SKMQ^XjmzuR5~2qppRSy#N<#0 z?|dY&i^W?{lXL9&O_Syx;1j{)mSj}NVMeE8vYnR>6vTNq1FXu%`Eh;F;Xb~jtf-bF z-n-RZ_W`6Ve&I;D<89ZtAIYAjuyL{tgBL=u96pz#C)YY{bC8A{jFAJ~!@pC}9^oW!w1vuq3-KRSA zjZRV9Ot>h6(eALe@zbUbIKx|@nXU|yFxc}0kZg)2vMxuXTQc0IlVF35z3EYOJ}!~ z96%!sE7QrI{EFT9dHq;7m5SV)f261h}_uk-^^LxR`Uq;g$> zKhQK=HJK_csrWi~waFYE6)ry{RXdUj&;Iy`JvR}=d$aLrPJ|e7PxW+;wpYytD|uJ! zI}Uy7!N|ah2xbOT?lM!)S3SV@F%d6%7H7gH_p{`h*?6CO(0Z+EdrqA-I=teJsSEQ0 zOu@`f5syS_OzC6l7I|b92=pG^)rh|*xMLoDA1a>+OK6jX)aU&Ko(|2dWSwpND(J1M zQQZ+Q^1jA^V1vQID7Bf*+#1POIe=ORy-awF+Gb0d2sVeh_SI!Q!3A1_2vs-CIjd2m zcX2u_%$`3IdlH4=WU2A~wbh6WMtEtm6B7{KPLs<&u$|5Y`w+?Vrw~fg4|4Avx$7=) z9}Kg^g&mk|7WAdhn2$W{bW_zaON{a&S_Mwh=ncfLho2g@)qvRclf1zSmWF&cbo%bx zK5%=EVq1eG1QJr=i}`T~-OiW6>B`!#E+X!;<@I|ZP$ReY!UURw6CuV0wiG8CFs7D` z9zX7kHdqaSNs5XHZOhr-xHVkFKIapN9asR$7aZU27e)Z3Vlqd7>@)BP1$OCN@1aLcdyE ziPgb(vaAOv8>e!PYSk5ck`!j~3cg5UNFnpSM@?ydk6DK36p5;-v&il2@P*yx3Z%Ww z|0S`4OwDe!hGFwZXX%xJv-+|ccM{Z0R?_9q zL(XxKwIO`ZOF+7Mzg>K>*eKGCkQrVaxZoY-jv!iUKQu1>p__U=zdz;YXgsZUy2s(L zd6ebcnr-BX*E;FYc#Xi%ysu`|?hBXFvB)oudNt5RsvCr^@D+Hg>h8oF6-R@UG&Bb2 zL(U;x(n?|eSa!~UCQ_QIgR8lhj%vL46yF>Q3k8%wyk?uR;?T<9cgM+A#oIG~wZ#ml zxL>cWaR9|+c!(e?Di~jPEN?+w_aXJ@K*>%_FF8t84V0ew$gS|qW|q~- zw2jo)Qoaj|i@5F*y%gu73UtCEWPNP7Ctv0erlY?)DP}ZNXcFCyxBHXv7SN35qj6e&clmzpY~=$Q_|uGTFj(bS?spc zx5r02bU)|BsqaK$IwA(QY*XjgxLKAp$|FOYRqb%D!A{>*HEl?J_8V0YOc``G8tFHX z@qem}A3uQQ-PtyHN~mo6?|UxVoj3<%6_gFW0!Z+&*Wl7i{k8`?^Bf(Drb!?0=K}Be zK4f#ySn9cw*9$F#$f4?d-cUl!tF}w3;?7M8mu=xs9N8K(B}=1auuqzixTk@!s(l%e z2#t+TyfmQGw_W)*pu4l?01Pf2$H&MKc4D7RG(m~D3lfz7nr_#Ps;Ddg!Q4tJ$(MEU zJPkadh*2V-6-(#O>NCbpeIZ8)+$MNANz87;JR^TapM;)5&!*dFHw)Lk0(-_RT zlQa?WMkVsC{=(FhDT)EnW0jb6ar2Mn9gT``UOqTV1MGkZo^|PDygAu^BkFbp4U>lf^HNn4#+5=2?+BT>OH!J6%0iUY^i31&7Rq z)Lex7TUw{wrqkU`(#`?!3er0pNGR6EtbXiu!miPced8|Qx$qhzFA=m<>nYZ@rB)3Q zccYf2>hK{&@Ku1IVWO)aj8)~=ZMU@?k;+V^GaYQ<79kOCO|`A~xQ_+{A4uNn9GrW_ zm%2KK(jM%?4o9&mgdO;^Q!Qa})Uh|PoShrJp`MJ8P0!-t16wh!NiBYRNwT?lus@KJIK7_ zF(Dx2;AknFa9q;isTER{!>N;S#xh-!Cz%7b(%hBQWoki75VjCaptFj@hv6C!Hxf(R z9Wl1aEmA#w-@eJ9Q9y_!aRGhfeE~*C&7w_AX0fj0c>0td5RJ1hDUOWFb#6OwgFvjv z2dnVwe&!bq;)nfK6Tn=~{Up80rsHA6QCdev2Uet7`x{fi(&=q>e-B|^T;|5_tPn%B z!`>AZRJ5Tf_3vbY$b-IS5rg+5n6s<&FX66aYA4?zZygKEU-+EEslP-0}943d2HON<+^lc!o)-41W5N2CN%`ujj zO}R8r&D$=z!q|>RHV~WTe7~_J@Os1n3y%=YJ;>s_L+aj<E#H}eMFbs?Hc@A_lei_S0^U0Lrh7DQ(4Nr```NrwV;2=f`WdNI>`}RYsCM{}LJ!M>`+u5IZaCItzb* zu27Sy_w%8Atk4yMq^OO*+Bu>5wzw->mdUu!To;#pdHEq^EU)t|;<|d!t68LYQSNrX zxfAnajfoAM+?co?KaJZZcQT$i*5e770)e{2)pG!SVS7noXcDgy*L(D|gq_GI?pyp^yz4J}Xw|_}|es#7YUwK=KM%NWiB+$!>=5q4@l$-5hui~8+0+M9H;YDF?2tU6ZDP=6RXdJ zs2g6Nwk|t(t4#L4u-d$JiSlxB_>Kh;TE3T(WSHkMOWFtJ&v_w8{PIH?iva_%C((2d zse*3wE_qzS;I~oDn^|q|Zr#w}Ki_s7WXzSHv3K9|(HoN69|$nP77ipNqKyOLP0^z^ zW+2`EU-pFTP!JrlrI(U=S3s`XJeW0pHtXl#+19zz!Dpqnw}^NPlCy3Hg%liRZI>PM z+v43FbR{P5kSOI({B>kSC!K7Nq+N#bV==Tbk2qo~7bmUvQ7aR6vE8IwFtG{@uFE&t z{YpxozJTP8;oge=sUB@)v)yXJhG%&dYZnvtCXWKtscqQEbK93ye#hH&fxP6Mrji5pTpF+R(*M++q$StdUB>; z7>Ibr-3t($lDk>?qhM9&L=y`5aP<&+3vHd7%)Fck&X7=ij!0H+^l{f$L*nckr?g)m zCgueZ-V0-8eOfuB{Ay5dA_3nceP<$_iv6;QxX_=QqQz|IILk z^~A6`^zaA6{l6FvpBNIJ8m8y-&&TgpEOo? z?*3Ski-LM)z8irBa>JS&kQi)f6E~In}PrTWBBV7Fceo*@pExUk?`-u-4xc- zfY+Qq29)c_(_d!%v$*4?@Qi|bW{CWI2D#r1|5hIUheuZbcMeN`$zlE}2kfWE<$NgR wj~uX{ek$%~21JR!&EfTL2EP9yhmzkp#Q!A+?57;&pNGsw=>N!p|2c>M0l4vEE&u=k literal 0 HcmV?d00001 diff --git a/testing/btest/core/tunnels/geneve-47101.zeek b/testing/btest/core/tunnels/geneve-47101.zeek new file mode 100644 index 0000000000..afc33d02ca --- /dev/null +++ b/testing/btest/core/tunnels/geneve-47101.zeek @@ -0,0 +1,8 @@ +# @TEST-DOC: Tests a pcap containing a packet of size 14196 bytes with GENEVE encapsulation. Regression test for #2683. +# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/geneve-47101.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log +# @TEST-EXEC: btest-diff tunnel.log + +@load base/frameworks/tunnels +@load base/protocols/conn +@load base/protocols/ssl From 6941e44aba47192a6a6440114a56dd5e5f8df702 Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Wed, 24 May 2023 16:38:33 +0200 Subject: [PATCH 09/10] packet_analysis/TCP: Do not use untrusted len for DeliverPacket() We should not be passing the untrusted TCP header length into DeliverPacket(). Also, DeliverPacket() cap len parameter should be the capture length of the packet, not remaining data. --- src/packet_analysis/protocol/tcp/TCP.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc index 6d6dfc4dbb..7df5236048 100644 --- a/src/packet_analysis/protocol/tcp/TCP.cc +++ b/src/packet_analysis/protocol/tcp/TCP.cc @@ -130,7 +130,8 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai // Call DeliverPacket on the adapter directly here. Normally we'd call ForwardPacket // but this adapter does some other things in its DeliverPacket with the packet children // analyzers. - adapter->DeliverPacket(len, data, is_orig, adapter->LastRelDataSeq(), ip.get(), remaining); + adapter->DeliverPacket(remaining, data, is_orig, adapter->LastRelDataSeq(), ip.get(), + pkt->cap_len); } const struct tcphdr* TCPAnalyzer::ExtractTCP_Header(const u_char*& data, int& len, int& remaining, From c4d159d1ffb4bf8964a2bac83c02e612c6df9edc Mon Sep 17 00:00:00 2001 From: Arne Welzel Date: Thu, 25 May 2023 09:12:38 +0200 Subject: [PATCH 10/10] Address wire/capture length feedback --- src/packet_analysis/protocol/iptunnel/IPTunnel.cc | 6 +++++- src/packet_analysis/protocol/iptunnel/IPTunnel.h | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc index 4730e13f79..1bfb69b09d 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc @@ -182,7 +182,11 @@ std::unique_ptr build_inner_packet(Packet* outer_pkt, int* encap_index, assert(outer_pkt->len >= outer_pkt->cap_len - inner_cap_len); // Compute the wire length of the inner packet based on the wire length of - // the outer and the difference in cap len's. + // the outer and the difference in capture lengths. This ensures that for + // truncated packets the wire length of the inner packet stays intact. Wire + // length may be greater than data available for truncated packets. However, + // analyzers do validate lengths found in headers with the wire length + // of the packet and keeping it consistent avoids violations. uint32_t consumed_len = outer_pkt->cap_len - inner_cap_len; uint32_t inner_wire_len = outer_pkt->len - consumed_len; diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.h b/src/packet_analysis/protocol/iptunnel/IPTunnel.h index ec91ac605e..9b1fbe35bc 100644 --- a/src/packet_analysis/protocol/iptunnel/IPTunnel.h +++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.h @@ -83,13 +83,17 @@ protected: * builds a new packet object containing the encapsulated/tunneled packet, as well * as adding to the associated encapsulation stack for the tunnel. * + * The wire length (pkt->len) of the inner packet is computed based on the wire length + * of the outer packet and the differences in capture lengths. + * * @param outer_pkt The packet containing the encapsulation. This packet should contain * @param encap_index A return value for the current index into the encapsulation stack. * This is returned to allow analyzers to know what point in the stack they were operating * on as the packet analysis chain unwinds as it returns. * @param encap_stack Tracks the encapsulations as the new encapsulations are discovered * in the inner packets. - * @param len The byte length of the packet data containing in the inner packet. + * @param inner_cap_len The byte length of the packet data contained in the inner packet. + * Also used as capture length for the inner packet. * @param data A pointer to the first byte of the inner packet. * @param link_type The link type (DLT_*) for the outer packet. If not known, DLT_RAW can * be passed for this value.